New SEC regulations, the rapid rise and adoption of AI, and ongoing global cybersecurity threats and challenges are putting increased pressure on executives and board members to recognize and address these potential risks to their organizations. Many boards are looking to bring on cybersecurity experts to help them navigate these challenges, as well as for broader insights on threat trends, security developments and other critical information to help them to stay ahead of the curve. But what does it mean to be a security expert on the board?
At a recent Google Cloud CISO event in New York City, Karenann Terrell, a member of the Google Cloud Advisory Board, told a story about how she attended a cybersecurity subcommittee meeting chaired by the cybersecurity leader on the board of an organization. The meeting took place ahead of the full board meeting and involved cybersecurity experts outside of the organization who brought unique perspectives.
“A board security expert shouldn’t be out to ask ‘stump the chump’ questions to the CISO,” she said at the event. Instead, choosing the right expert to sit on the board can be vital to an organization’s security success.
The best candidates, while having the requisite technical expertise, are those who also approach the position with the goal of raising the board’s overall “security IQ.” This means they should help guide productive security and risk conversations at the board level, and ask the most relevant questions including:
• Do we have the right protections in place?
• Are we using intelligence to identify and defend against the threats that matter most to us?
• Are our new technologies (such as artificial intelligence) or cloud architectures helping us be more inherently defended against threats?
• Are we practicing sound security fundamentals such as least privilege and hardening to reduce attack surface?
• Are we meeting our compliance requirements? Our second Perspectives on Security for the Board report builds on the concepts explored in our first report, which introduced the importance of board oversight for cyber risk and AI integration with security. The new report explores in-depth which questions are the best ones to ask to raise board security IQ. We cover the board’s security role and responsibilities in cloud adoption, shine a light on the latest threats and their impacts to business, and introduce Google’s Secure AI Framework (SAIF) to help ensure organizations use AI responsibly.
Securing AI systems with Google
Every new technology brings with it new security risks, and AI is no different. With generative AI advancements happening rapidly, Google is committed to ensuring that AI systems are not only safe for users but safe at the development level, too.
Google’s Secure AI Framework (SAIF) is a conceptual framework for secure AI systems that boards can use to help ensure their organizations utilize AI in a responsible way. SAIF offers a practical approach to address top-of-mind concerns for every organization, including security, AI/ML model risk management, and privacy and compliance.
We recommend boards work with their CISOs to implement SAIF’s six core elements in their organizations:
1. Expand strong security foundations to the AI Ecosystem
2. Extend detection and response to bring AI into an organization’s threat universe
3. Automate defenses to keep pace with existing and new threats
4. Harmonize platform-level controls to ensure consistent security across the organization
5. Adapt controls to adjust mitigations and create faster feedback loops for AI deployment
6. Contextualize AI system risks in surrounding business processes
Bolstering the board with security expertise
With this latest report, boards should have a better understanding of their role and responsibilities in risk management during cloud adoption, the global threat landscape and how to respond to threats, and how their organization can use AI in responsible and secure ways.
You can read more about Google Cloud’s security guidance for boards of directors in the full report, “Perspectives on Security for the Board.”